Heartland Breach

Heartland Payment Systems acts as a payment gateway for credit card transactions for over 250,000 businesses. At some point a sniffer was installed in their data center intercepting all transactions. Some media outlets are calling this the “largest data breach ever”. They process “100 million credit card payments a month and more than 4 billion transactions per year” but currently have no idea when the malicious software was installed.

Most states (and federal and industry regulations) strictly mandate how breaches are reported to consumers and how quickly. Unfortunately this incident falls into a bit of a gray area in that consumers are 2 steps removed from the breach. As best I can tell, heartland simply has to notify their customers (mostly restaurants and other businesses) and then its the responsibility of these 250,000 or so businesses to inform their customers. I assure you that some will slip through the cracks or intentionally not be notified by small businesses fearing bad PR.

Heartland just launched a site to provide some positive PR and is sending it to their customers (not end consumers). They did not distribute this URL to the general public. The reason this entirely new domain (that does not contain “heartland” at all) was launched is because Heartland’s main site makes no mention of the breach at all.

After reading the heartland statement by Robert O. Carr, CEO it becomes abundantly clear where their loyalty and concerns lie. With statements like:

“In fact, since our disclosure of the breach on Tuesday, January 20, 2009, more than 400 new merchants, new payroll clients and new check management clients have demonstrated their continued trust in our services by joining as new customers.”

This is clearly damage control. It’s in poor taste to mix marketing with breach notifications.

“As a cardholder, you will not be held financially responsible for any unauthorized transactions. You should regularly monitor your card and bank statements and report all suspicious activity to your issuing bank (the bank that issued the card, not the card brand).”

That last statement is the only thing that even makes reference to the end consumers whose data was compromised. Most breach laws require that the responsible party (Heartland) purchase credit card monitoring services for a year for each effected person. This statement indicates that “you will not be held financially responsible” but does not provide the why or how. This statement does not indicate that Heartland will reimburse you as a consumer nor does it say they will purchase credit monitoring services for you.

This is just another example of how we, as modern consumers, need to take responsibility for our own safety and proactively monitor our own accounts. We are obviously in this alone.